Reference ID SP Adapter settings reference

Field descriptions for the Reference ID SP Adapter configuration screen.

Standard fields
Field Name	Description
Authentication Endpoint	The application endpoint URL for user authentication requests.
User Name	The ID that the application uses to authenticate to the PingFederate server. This field is required to enable Basic HTTP authentication for the application.
Pass Phrase	The password that the application uses to authenticate to the PingFederate server. This field is required to enable Basic HTTP authentication for the application.
Allowed Subject DN	For certificate authentication, this field specifies an acceptable subject DN of the client certificate. You can use the asterisk (`*`) wildcard character to match variances in the value for components that are allowed to be variable, like the common name (CN). A maximum of one wildcard character can be used per DN. Separate multiple subject DNs with a pipe (`\|`). If this field is empty, any subject DN is allowed.
Allowed Issuer DN	For certificate authentication, this field specifies an acceptable issuer DN of the incoming client certificate. You can use the asterisk (`*`) wildcard character to match variances in the value for components that are allowed to be variable, like the common name (CN). A maximum of one wildcard character can be used per DN. Separate multiple subject DNs with a pipe (`\|`). If this field is empty, any issuer DN is allowed.
Logout Service Endpoint	The URL of your application’s logout service endpoint, such as https://portal.example.com/logout. When Logout Mode is set to Front Channel, PingFederate uses this URL as part of the single logout (SLO) flow. For details, see the description below.
Logout Mode	Determines how the adapter handles application logout. Front Channel During the SLO flow, PingFederate redirects the browser to your application’s Logout Service Endpoint URL and provides the reference ID and resume path values. Your application uses the reference ID or a session cookie to identify and end the user session, then redirects the browser back to the PingFederate resume path. PingFederate completes the SLO process. Back Channel The adapter sends a direct HTTP request to the IdP application. To include an attribute in a dynamic URL, use the `${attribute-name}` variable. None Select this option if your application does not maintain user sessions. The default selection is None.
Account Linking Authentication Endpoint	The SP application URL where incoming SSO users can access IDs for local accounts, via SAML account linking. Learn more about account linking in About account linking in the PingFederate documentation.

Advanced fields
Field Name	Description
Transport Mode	This field defines the method that the adapter uses for front-channel communication with the application. Form POST: The adapter sends data using a POST request. Data is contained within the body of the request. Query Parameter: The adapter sends data as part of the URL string. Some data, such as the reference value, is exposed with this method. The default selection is Form POST.
Reference Duration	The amount of time (in seconds) that the PingFederate server keeps the referenced attributes in memory. Increase this value to accommodate network delays. Learn more in Development considerations. The default value is `3`.
Reference Length	The number of bytes used for the pseudo-randomly-generated reference ID. Increase this value to make the reference ID more difficult to replicate. Learn more in Development considerations. The default value is `30`.
Require SSL/TLS	This checkbox controls whether PingFederate requires a secure connection for calls made to the attribute-retrieval endpoint. We recommend using the secure transport protocol unless a secure, dedicated network segment exists between the application server and PingFederate. This check box is selected by default.
Outgoing Attribute Format	The format that the adapter uses to encodes attribute values in HTTP responses it sends to the application. The application must be able to parse this format. Learn more in Attribute formatting. The default selection is JSON.
Incoming Attribute Format	The format that the application uses to encode attribute values in HTTP requests it sends to the adapter. Learn more in Attribute formatting. The default selection is JSON.
Skip Host Name Validation	When a connection is established with the application, this setting determines whether PingFederate matches the target hostname against the names stored inside the server certificate presented by the application. This can be useful during development or testing. Applies when Logout Mode is set to Back Channel. This check box is cleared by default.
Relax Pass Phrase Requirements	When selected, the adapter does not enforce requirements for the application credentials entered in the Pass Phrase field. When cleared, the adapter enforces strong password requirements for better security. Use this for development, testing, or upgrading from previous versions of the adapter that did not enforce password requirements. This check box is cleared by default.